One common symptom of having a hacked Joomla site is unusual slowness. If your site is a little slow, it's not as likely that you've been hacked. However, if when you load a page you experience a sudden increase in load times of 6 to 20 seconds, it's likely that your site has been compromised. Another symptom that you've been hacked is when the slowness only affects the front of your site and your Joomla control panel loads quickly.
The situation can be a little bit bewildering- what is going on here?!
Hackers and security professionals are in a constant arms race; hackers create knives, so security professionals create swords, so hackers create spears, and etc., etc. One of the evolutions that have occurred on the security professional side is improved scanning for hacked files. There are better and better algorithms for identifying when a file is doing something suspicious on a Joomla website. The consequence of this evolution is that the more code that a hacker places on a compromised website, the more likely it will trip one of these scans and be discovered.
How does the hacker circumvent this obstacle? By not placing code on the website.
In order to execute an attack, the hacker must change some files on your Joomla site. However, in order to avoid tripping the alarms of a file scanner, the hacker splits the attack into two parts. They make minimal changes to a few of your site files in order to contact another hacked site that they control. Then, when the hacked files runs on your website, it loads content from a completely different part of the Internet and delivers that as the payload of the attack.
The call to a different website is what is making your site slow. Every time a page loads, that call is being made and it will often take three or four times longer to load the site being used to deliver the content of the attack.
This attack is particularly popular for delivering spammy links or advertising because that content is easier to detect in file scans. Because of this, it's common for this attack to be targeted towards the front of your site and not the backend. It's also common for the hacker scripts to check who is requesting your webpage before calling out to the third-party website so that search engines receive different information than normal visitors. This means that sometimes the hacker scripts will change the content of search results on Google for your website by delivering different information back to Google or do the opposite, where Google has no idea that you've been compromised, but your visitors see different content than what they should.
If your Joomla! site has been compromised, you don't want to fix the slowness, you want to secure your website. That will correct the slow page load times and the deeper issue of being hacked. If you're a developer or a tech savvy person, a good resource is our guide on How to Fix a Hacked Joomla Site. In particular, if you run the page through a debugger as described in the section on finding hacked Joomla files, you should be able to locate the exact section of code where the call to the third-party site is being made.
If you're the website owner and have limited technical skill, your best option is to hire someone else to fix it (we do that.) If you can't afford hiring a professional to correct the problem, your next best option is to attempt to recover the site yourself. The Joomla security forums are a good resource for getting information about potential problems with your site and guidance as you work through the recovery.